Vista Isolates Internet Malware

New Integrity Control feature keeps unintentionally downloaded software in a sandbox

Executive Summary:

Windows Server 2008 and Windows Vista offer Windows Integrity Control (aka Mandatory Integrity Control), which includes five predefined integrity levels. Integrity Control's integrity levels can be displayed using Icacls and Whoami. All content unintentionally downloaded from the Internet and saved to the Temporary Internet File folder is given the low integrity level and run in protected mode.

It probably comes as no surprise that in Windows Server 2008 (formerly code-named Longhorn) and Windows Vista, Microsoft continues its war on malware. Windows 2008 and Vista include several new security features to better protect the OS, its data, and its users from the harm that can be caused by malware. For an overview of these malware protection mechanisms, see the Security Pro VIP article “Fighting Malicious Software with Windows Vista,” January 2007, InstantDoc 94583.

The new malware protection mechanisms include two features that are the result of fundamental changes to the Windows security architecture: User Account Control (UAC), which is a least privilege solution, and Integrity Control, which is an isolation or sandboxing mechanism for malware that users unknowingly download from the Internet. Integrity Control is also an extension of the existing Windows access control model, which is the OS logic that decides who can access which resources. I discussed UAC in detail in the Windows IT Security article “Windows Vista’s Take on Least Privilege,” October 2006, InstantDoc 93300. In this article I'll focus on Integrity Control's architecture, operation, and configuration. Although UAC and Integrity Control use different protection mechanisms, they provide similar services that complement one another and provide defense in depth. Both UAC and Integrity Control can isolate malware and stop it from spreading on your Windows OS.

What Integrity Control Can DoVista's Integrity Control is also referred to as Windows Integrity Control (WIC) and Mandatory Integrity Control (MIC). Administrators can use Integrity Control to give securable Windows objects, such as file system folders and files or registry folders and keys, a level of trustworthiness, or an integrity level, as Microsoft refers to it. An object’s integrity level doesn't replace but rather adds to the object’s typical access permissions. Integrity levels can be linked not only to Windows objects but also to users and processes. They don't replace but rather augment users’ and processes’ typical user rights and group memberships.

Integrity Control's integrity levels ensure that objects, users, or processes that have a low integrity level can't interfere with resources that have a higher integrity level. For example, code that you unknowingly download from the Internet and that Microsoft Internet Explorer (IE) saves to the Temporary Internet Files folder is assigned the low integrity level by default. If the code tries to write to a registry folder, Integrity Control will block it because Windows assigns registry folders a higher integrity level by default. Integrity Control can not only block objects, users, and processes with a low integrity level from writing to resources with a higher integrity level but can also restrict them from executing higher-level resources.

Integrity levels augment and supersede the typical resource permissions, meaning that even if the code you downloaded from the Internet has, by virtue of running under your user account, full-control permissions to the registry key, it will be blocked from writing to the folder because of its low integrity level.

Integrity Control, DAC, and MAC Microsoft's inspiration for Integrity Control was the labeling mechanism that the military and government use for documents—marking them as classified or top secret or another level and giving the people that require access to this information the necessary clearance level.

The access control model I just described is known as mandatory access control (MAC). The central idea behind MAC is that an organization (or system) and its IT administrators define an access control policy and assign access levels to both users and resources. In other words, resource-owning users don't control the access permissions of their resources. This lack of user control makes the MAC model very different from the discretionary access control (DAC) model. Windows has always used a combination of the DAC and the MAC models for controlling access to its resources.

The MAC model is more prominent in Windows 2008 and Vista than it was in previous Windows versions. In Integrity Control, Windows automatically assigns integrity levels to resources based on the MAC model. Administrators can change resources’ integrity levels only after the OS assigns them, which means the OS could assign resources an integrity level so high that even administrators can't access them.

Integrity Control Integrity LevelsIntegrity Control includes five predefined integrity levels (aka trust levels), which are listed in Table 1 and discussed in detail below. The following five integrity levels are listed from the lowest to highest:

The untrusted integrity level is the lowest integrity level. Integrity Control assigns an untrusted integrity level to processes that log on anonymously.

The low integrity level is assigned to anything that's unintentionally downloaded to your Windows system from the Internet and saved to the Temporary Internet Files folder. IE 7.0 (the default browser in Windows 2008 and Vista) also uses the low integrity level when it runs in protected (or sandboxed) mode, which is the default IE operation mode.

The medium integrity level is the default integrity level. It's implicitly assigned to objects, users, or processes that don’t have an explicit integrity level defined. The medium integrity level is also assigned to content that users intentionally download from the Internet by using Save As.

The high integrity level is the default integrity level for administrator accounts.

The system integrity level is the highest integrity level. Windows 2008 and Vista assign the system integrity level to all system services and kernel-level processes.

Figure 1 illustrates the implication that integrity levels have for Windows users. If a user with a medium integrity level tries to write to a file called wic.txt that has a high integrity level from Notepad, Windows will block the user from doing so and display the error message shown.

The above list shows how Integrity Control uses the low integrity level to effectively isolate malware that users unknowingly download from the Internet and that IE saves in the Temporary Internet Files folder. The low integrity level sits below the default medium integrity level in the integrity level hierarchy, which means that Integrity Control will automatically block Internet malware from accessing local system resources. By default, the medium integrity level is assigned to all unlabelled objects, users, and processes—which is most of the objects, users, and processes on a Windows 2008 or Vista system.

Integrity Control won't block software that's downloaded to your system from a source other than the Internet, such as a floppy disk, USB token, CD-ROM, or DVD. Such software will be assigned either a medium or high integrity level, depending on the account you're logged on with when the software is introduced, which is why it's important to honor least privilege, even in Windows 2008 and Vista. You must ensure that UAC is never turned off and be extremely careful when accessing floppy disk, USB, CD-ROM, or DVD content from administrator-level processes.

Viewing and Changing Integrity LevelsYou should now have a pretty good understanding of how Integrity Control and integrity levels work. Next, let's look at how you can work with objects’, users’, and processes’ integrity levels.

In addition to a Discretionary ACL (DACL)—in which Windows stores an object’s access permissions—each Windows object also has a System ACL (SACL), which holds an object’s integrity level. In previous Windows versions, the SACL was used only to store an object’s auditing settings. When you open an object’s SACL from the advanced view of the Windows ACL viewer, the object’s integrity level isn't displayed. (Microsoft decided not to show the object's integrity levels in the ACL viewer in Windows 2008 and Vista.)

To display an object's integrity level, you must use the new Windows 2008 and Vista icacls.exe command-line utility. (Icacls is also available in Windows Server 2003 SP2.) Don’t be disappointed if you see only an object’s audit settings and not an integrity level when you run Icacls. Most Windows objects have the default medium integrity level, which isn't stored in the SACL. Only after an administrator has explicitly set an object’s integrity level to something other than medium will the integrity level show up in the Icacls command output.

Figure 2 shows how to set an object’s integrity level by using the Icacls command with the /setintegritylevel switch, and then retrieve the same object’s integrity level by using the Icacls command. Note that the integrity level is displayed with a Mandatory Label domain name. This name helps you easily recognize an object’s integrity level among the different object permissions in the SACL.

Integrity Control also assigns integrity levels to users and processes. A user’s integrity level is stored as a special group object in the user’s access token. The access token is a digital token that every Windows user gets after he or she successfully authenticates to Windows and that contains the user’s rights and group memberships. The Windows authorization process uses the access token to decide whether a user can access a resource.

To view the content of your personal access token, use the Whoami command with the /groups switch. Figure 3 shows the groups contained in the access token of the built-in Administrator account: First in the list are the SIDs of the groups the built-in Administrator is a member of, and last is the Administrator’s integrity level group SID. By default, Windows 2008 and Vista give the built-in Administrator a high integrity level. Also note the SID that's associated to the high integrity level—Microsoft defined a set of new well-known security principals and SIDs to represent integrity levels in users’ and processes’ access tokens. For a list of each integrity level's SID, see Table 1.

A Windows process’s integrity level is also stored in its access token. A process inherits its integrity level from either the integrity level of the user account that executed the associated program or from the integrity level of the program itself. If the user account and program have a different integrity level, the resulting process’s integrity level is the lower of the two integrity levels.

Windows 2008 and Vista don't include a tool to check a process’s integrity level (and no, you can't use Whoami or Task Manager—yet). You can, however, check by using the Sysinternals Process Explorer, a free tool that you can download from http://www.microsoft.com/technet/sysinternals/processesandthreads/processexplorer.mspx. To view a process's integrity level in Process Explorer, you must first add the Integrity Level column. You can add the column in the Select Columns dialog box, which you can access from Process Explorer’s View menu. Figure 4 shows the Integrity Level column in the Process Explorer interface.

By default, only the OS or an administrator can change an object’s integrity level. However, if you understand the integrity level change logic and have administrator-level permissions, you can modify the logic to grant integrity level change permissions to a simple user, for example.

The ability to change an object’s integrity level is granted by a new user right that Microsoft introduced in Windows 2008 and Vista: Modify an object label (aka SeRelabelPrivilege). The built-in administrator account is granted this right by default, although the privilege isn't displayed if you check the administrator’s access token by using Whoami or from the User Rights Assignments container in the Group Policy Object (GPO) settings.

Users and administrators who have been granted the SeRelabelPrivilege right must also have Change permissions and Take ownership object permissions before they can change an object's integrity level. An important restriction for administrators or users who've been granted the SeRelabelPrivilege right is that they can never raise an object’s integrity level above their user account’s integrity level. Any user that has Read permissions on an object can read the object’s integrity level.

Isolate Internet MalwareIntegrity Control ensures that untrusted software that could be malware can't interfere with other user or system data. The Integrity Control malware protection in Windows 2008 and Vista is largely transparent to users: The OS automatically assigns integrity levels to Web content and ensures that this content can't interfere with resources that have a higher integrity level. Integrity Control offers a powerful access control model that might be used to constrain all Windows resources in the future, not just resources that originate from the Internet.